Le 27 oct. 2010 à 08:27, S.P.Zeidler a écrit : > Thus wrote Rémi Després ([email protected]): > >> Yet, I acknowledge that NAT66 can work if: >> - a site is single-homed or multihomed with an IPv6 PI prefix > > The entire point of NAT66 use cases is to gain some benefits of > a PI prefix without incurring the associated cost.
As I tried to explain in a previous mail on this list: - If a private-site network has two CPEs giving access to two ISPs with PA prefixes, the CPE via which a packet goes to the Internet depends on the intra-site routing. - If intra-site routing DOESN'T make sure that all packets from a given host always go to the same CPE, then TCP connections will be broken because: . packets that go via a CPE different from that traversed by the the SYN packet will be received with a different source address . they will then be discarded at their destination because they have a different source address than that of the 5-tuple that identifies the connection. . the available tool to work with several source addresses, SHIM6, can't help because, due to NAT66, hosts don't know their global addresses. - If intra-site routing DOES make sure that all packets from a given host always go to the same CPE, incoming connection that come via the other CPE will be broken because outgoing packets will never have the right global source address. This being said, I do agree that there is a small window of opportunity for NAT66 in multihoming sites with multiple PAs, namely IF: - No incoming connection to any host is intended to be desirable in IPv6 - There is a need that some hosts do reach IPv6-only servers - Intra-site routing is such that outgoing packets of a hosts always go to the same CPE, at least in the absence of ISP-access failure. - There is no intention that any host can use SHIM6 as a tool to maintain connections when an ISP access fails. I find these conditions extremely restrictive but, clearly, one is free to accept them. Technical comments on the above are welcome. If this is wrong, explaining why will be a progress. If this is right, these limitations should IMHO be documented, e.g. in the applicability section of the NAT66 document. Regards, RD > ... > NAT66 when you have PI is supremely pointless. To be remembered. > > regards, > spz > -- > [email protected] (S.P.Zeidler) _______________________________________________ nat66 mailing list [email protected] https://www.ietf.org/mailman/listinfo/nat66
